something you are (e.g. biometric data such as fingerprints, iris scans,
voice patterns)

The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A 2000,
c. F-25 requires that Athabasca University (AU) protect personal information
against unauthorized use or disclosure by making reasonable security arrangements.
The degree of authentication must be appropriate to the nature of the use or
disclosure and the sensitivity of the personal information involved. In circumstances
requiring a higher level of authentication, AU should use multi-factor authentication
(i.e., two or more forms of authentication to confirm identity).

When AU interacts with a person exercising the rights of another person under
Section 84 FOIP Act, AU must authenticate the identity of the person exercising
the right. Authentication requires that AU obtain a copy of the document granting
the person the right to act for another (e.g., guardianship order, personal
directive, power of attorney).

Providing Information to Students Over the Telephone

Before disclosing a student's personal information (e.g., grades) to a caller
who purports to be the student, AU must verify that the person is who they say
they are. Various methods may be used; for example a "shared secret"
where the person provides some information know only to him or her and AU, such
as information about a previous transaction, a case number or password created
for the purpose of authentication. So long as there is no reason to distrust
the caller, a student identification number can be accepted as proof of authentication.
If for whatever reason, you doubt the truthfulness of the caller, use a second
form of authentication. For example, ask the caller what was the last course
he or she completed.

Acknowledgment

AU wishes to acknowledge its reliance on publications issued by the Access
& Privacy Branch, Alberta Government Services, which were used in the preparation
of this guideline.